AWS to Users: Secure Your S3 Buckets

Amazon Web Services Inc. (AWS) has taken to warning customers to secure their S3 storage buckets in the wake of several reports of confidential information being exposed on wide-open data stores.

Security firms have repeatedly warned of the dangers of S3 buckets with loose access controls, with at least one -- UpGuard Inc. -- dedicating a team to search out such exposed troves and publicize each finding, explaining what data was accessibile and what attackers could do with it.

Despite having published much security best practices guidance on its site to explain proper configuration, the problem is being publicized so often that AWS is providing more such guidance via e-mail, according to several recent reports.

A Reddit user posted the purported contents of one such e-mail, which reads:

Hello,

We're writing to remind you that one or more of your Amazon S3 bucket access control lists (ACLs) are currently configured to allow read access from any user on the Internet. The list of buckets with this configuration is below.

By default, S3 bucket ACLs allow only the account owner to list the bucket or write/delete objects; however, these ACLs can be configured to permit public read access. While there are reasons to configure buckets with public read access, including public websites or publicly downloadable content, recently there have been public disclosures by third parties of S3 bucket contents that were inadvertently configured to allow public read access but were not intended to be publicly available.

We encourage you to promptly review your S3 buckets and their contents to ensure that you are not inadvertently making objects visible to users that you don't intend. Bucket ACLs can be reviewed in the AWS Management Console (http://console.aws.amazon.com ), or using the AWS CLI tools. ACLs permitting "All Users" grant public read access to the related content.

Your list of buckets configured to allow read access from anyone on the Internet are:
[redacted]

Several readers confirmed the content of the AWS e-mails (as did at least one user on Twitter), and one responded with: "They've been presumably sending these out because S3 has been in the news basically every week at the moment regarding people storing databases or database backups containing sensitive data in public buckets with little/no security attached. I think it's a good reminder as this is happening all the time right now but I'm not sure how effective it will be since a lot of smaller orgs I know using AWS still don't have a good grasp of ACLs and bucket policies."

When contacted about the e-mails by CRN, a spokesperson replied: "With some recent public disclosures by third parties of Amazon S3 bucket contents that customers inadvertently configured to allow public access, we wanted to be proactive about helping customers make sure they don't have bucket access they didn't intend."